Microsoft Security Copilot integration in Defender EASM

Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility helps security and IT teams identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack surface insights are generated by analyzing vulnerability and infrastructure data to showcase the key areas of concern for your organization.

Microsoft Security Copilot (Security Copilot) integration in Defender EASM helps you interact with Microsoft-discovered attack surfaces. Identifying attack surfaces helps your organization quickly understand its externally facing infrastructure and relevant, critical risks. It provides insight into specific areas of risk, including vulnerabilities, compliance, and security hygiene.

For more information about Security Copilot, see What is Security Copilot?. For information about the embedded Security Copilot experience, see Query your attack surface with Defender EASM by using Microsoft Copilot in Azure.

Know before you begin

If you're new to Security Copilot, it's a good idea to familiarize yourself with the solution by reading these articles:

• What is Microsoft Security Copilot?
• Security Copilot experiences
• Get started with Security Copilot
• Understand authentication in Security Copilot
• Prompting in Security Copilot

Security Copilot in Defender EASM

Security Copilot can surface insights from Defender EASM about your organization's attack surface. You can use Security Copilot built-in features. To get more information, use prompts in Security Copilot. The information can help you understand your security posture and mitigate vulnerabilities.

This article introduces you to Security Copilot and includes sample prompts that can help Defender EASM users.

Key features

The EASM Security Copilot integration can help you:

• Get a snapshot of your external attack surface and generate insights into potential risks.

  You can get a quick view of your external attack surface by analyzing internet-available information combined with the Defender EASM proprietary discovery algorithm. It provides an easy-to-understand natural language explanation of the organization's externally facing assets, such as hosts, domains, webpages, and IP addresses. It highlights the critical risks associated with each.

• Prioritize remediation efforts based on asset risk and Common Vulnerabilities and Exposures (CVEs) list items.

  Defender EASM helps security teams prioritize their remediation efforts by helping them understand which assets and CVEs pose the greatest risk in their environment. It analyzes vulnerability and infrastructure data to showcase key areas of concern, providing a natural language explanation of the risks and recommended actions.

• Use Security Copilot to surface insights.

  You can use Security Copilot to ask about insights by using natural language and extract insights from Defender EASM about your organization's attack surface. Query details like the number of Secure Sockets Layer (SSL) certificates that aren't secure, ports that are detected, and specific vulnerabilities that affect the attack surface.

• Expedite attack surface curation.

  Use Security Copilot to curate your attack surface by using labels, external IDs, and state modifications for a set of assets. This process speeds up curation, so you can organize your inventory faster and more efficiently.

Enable Security Copilot integration

To set up Security Copilot integration in Defender EASM, complete the steps described in the next sections.

Prerequisites

To enable integration, you need to have these prerequisites:

• Access to Microsoft Security Copilot
• Permissions to activate new connections

Connect Security Copilot to Defender EASM

1. Access Security Copilot and ensure that you're authenticated.

2. Select the Security Copilot plugin icon on the upper-right side of the prompt input bar.

   

3. Under Microsoft, locate Defender External Attack Surface Management. Select On to connect.

   

4. If you want Security Copilot to pull data from your Defender EASM resource, select the gear icon to open the plugin settings. Enter or select values by using the values from your resource's Essentials section on the Overview pane.

Sample Defender EASM prompts

Security Copilot primarily uses natural language prompts. When you query information from Defender EASM, you submit a prompt that guides Security Copilot to select the Defender EASM plugin and invoke the relevant capability.

For success with Security Copilot prompts, we recommend the following approaches:

• Ensure that you reference the company name in your first prompt. Unless otherwise specified, all future prompts then provide data about the initially specified company.

• Be clear and specific with your prompts. You might get better results if you include specific asset names or metadata values (for example, CVE IDs) in your prompts.

  It might also help to add Defender EASM to your prompt, like in these examples:

  • According to Defender EASM, what are my expired domains?
  • Tell me about Defender EASM high-priority attack surface insights.

• Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.

• Security Copilot saves your prompt sessions. To see previous sessions, in Security Copilot, on the menu, select My sessions.

  For a walkthrough of Security Copilot, including the pin and share features, see Navigate Security Copilot.

For more information on writing Security Copilot prompts, see Security Copilot prompting tips.

Plugin capabilities reference

Switch between resource data and company data

Even though we added resource integration for our skills, we still support pulling data from prebuilt attack surfaces for specific companies. To improve the Security Copilot accuracy in determining when a customer wants to pull from their attack surface or from a prebuilt, company attack surface, we recommend using my, my attack surface, and so on, to convey that you want to use your resource. Use their, specific company name, and so on, to convey that you want to use a prebuilt attack surface. Although this approach does improve the experience in a single session, we strongly recommend using two separate sessions to avoid any confusion.

Provide feedback

Your feedback on Security Copilot generally, and the Defender EASM plugin specifically, is vital to guide current and planned development of the product. The optimal way to provide this feedback is directly in the product, using the feedback buttons at the bottom of each completed prompt. Select Looks right, Needs improvement, or Inappropriate. We recommend that you choose Looks right when the result matches expectations, Needs improvement when it doesn't, and Inappropriate when the result is harmful in some way.

Whenever possible, and especially when the result you select is Needs improvement, please write a few words to explain what we can do to improve the outcome. This request also applies when you expect Security Copilot to invoke the Defender EASM plugin, but a different plugin is engaged instead.

Privacy and data security in Security Copilot

When you interact with Security Copilot to get Defender EASM data, Copilot pulls that data from Defender EASM. The prompts, the data that's retrieved, and the output that's shown in the prompt results are processed and stored in the Security Copilot service.

For more information about data privacy in Security Copilot, see Privacy and data security in Security Copilot.

Related content

• Microsoft Security Copilot
• Privacy and data security in Microsoft Security Copilot
• Query your attack surface with Defender EASM by using Microsoft Copilot in Azure